Greetings. TLS 1.3 draft in sec 4.2.3. Signature Algorithms tells that if a client wants to negotiate TLS 1.3, it must support an upgraded (and incompatible) version of TLS 1.2, the one that changes RFC 5246 to allow RSA-PSS in sec. 7.4.1.4.1. Signature Algorithms.
You might recall that the possibility to negotiate between PSS and RSASSA-PKCS1-v1_5 in TLS 1.3 handshake, just as it is allowed for X.509 signatures, was discussed on the mailing list. The WG decision then was to hard-wire PSS in the TLS 1.3 handshake. I don't recall any discussion on going further than this, all the way to changing the 10-year old TLS 1.2. Unfortunately, our products have issues with PSS beyond our control. The only solution left to avoid receiving PSS with TLS 1.2 is to never negotiate TLS 1.3 as a client. Another solution is insecure fallback, but we presently don't do this. Is my reading of the situation correct? Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls